mirror of
https://github.com/ClickHouse/ClickHouse.git
synced 2024-11-15 03:53:41 +00:00
257 lines
11 KiB
Python
Executable File
257 lines
11 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
import os
|
|
import sys
|
|
|
|
from testflows.core import *
|
|
|
|
append_path(sys.path, "..")
|
|
|
|
from helpers.cluster import Cluster
|
|
from helpers.argparser import argparser
|
|
from rbac.requirements import SRS_006_ClickHouse_Role_Based_Access_Control
|
|
from helpers.common import check_clickhouse_version
|
|
|
|
issue_14091 = "https://github.com/ClickHouse/ClickHouse/issues/14091"
|
|
issue_14149 = "https://github.com/ClickHouse/ClickHouse/issues/14149"
|
|
issue_14224 = "https://github.com/ClickHouse/ClickHouse/issues/14224"
|
|
issue_14418 = "https://github.com/ClickHouse/ClickHouse/issues/14418"
|
|
issue_14451 = "https://github.com/ClickHouse/ClickHouse/issues/14451"
|
|
issue_14566 = "https://github.com/ClickHouse/ClickHouse/issues/14566"
|
|
issue_14674 = "https://github.com/ClickHouse/ClickHouse/issues/14674"
|
|
issue_14810 = "https://github.com/ClickHouse/ClickHouse/issues/14810"
|
|
issue_15165 = "https://github.com/ClickHouse/ClickHouse/issues/15165"
|
|
issue_15980 = "https://github.com/ClickHouse/ClickHouse/issues/15980"
|
|
issue_16403 = "https://github.com/ClickHouse/ClickHouse/issues/16403"
|
|
issue_17146 = "https://github.com/ClickHouse/ClickHouse/issues/17146"
|
|
issue_17147 = "https://github.com/ClickHouse/ClickHouse/issues/17147"
|
|
issue_17653 = "https://github.com/ClickHouse/ClickHouse/issues/17653"
|
|
issue_17655 = "https://github.com/ClickHouse/ClickHouse/issues/17655"
|
|
issue_17766 = "https://github.com/ClickHouse/ClickHouse/issues/17766"
|
|
issue_18110 = "https://github.com/ClickHouse/ClickHouse/issues/18110"
|
|
issue_21083 = "https://github.com/ClickHouse/ClickHouse/issues/21083"
|
|
issue_21084 = "https://github.com/ClickHouse/ClickHouse/issues/21084"
|
|
issue_25413 = "https://github.com/ClickHouse/ClickHouse/issues/25413"
|
|
issue_26746 = "https://github.com/ClickHouse/ClickHouse/issues/26746"
|
|
|
|
xfails = {
|
|
"syntax/show create quota/I show create quota current": [
|
|
(Fail, "https://github.com/ClickHouse/ClickHouse/issues/12495")
|
|
],
|
|
"views/:/create with subquery privilege granted directly or via role/:": [
|
|
(Fail, issue_14091)
|
|
],
|
|
"views/:/create with join query privilege granted directly or via role/:": [
|
|
(Fail, issue_14091)
|
|
],
|
|
"views/:/create with union query privilege granted directly or via role/:": [
|
|
(Fail, issue_14091)
|
|
],
|
|
"views/:/create with join union subquery privilege granted directly or via role/:": [
|
|
(Fail, issue_14091)
|
|
],
|
|
"views/:/create with nested views privilege granted directly or via role/:": [
|
|
(Fail, issue_14091)
|
|
],
|
|
"views/view/select with join query privilege granted directly or via role/:": [
|
|
(Fail, issue_14149)
|
|
],
|
|
"views/view/select with join union subquery privilege granted directly or via role/:": [
|
|
(Fail, issue_14149)
|
|
],
|
|
"views/view/select with nested views privilege granted directly or via role/:": [
|
|
(Fail, issue_14149)
|
|
],
|
|
"views/live view/refresh with privilege granted directly or via role/:": [
|
|
(Fail, issue_14224)
|
|
],
|
|
"views/live view/refresh with privilege revoked directly or from role/:": [
|
|
(Fail, issue_14224)
|
|
],
|
|
"views/live view/select:": [(Fail, issue_14418)],
|
|
"views/live view/select:/:": [(Fail, issue_14418)],
|
|
"views/materialized view/select with:": [(Fail, issue_14451)],
|
|
"views/materialized view/select with:/:": [(Fail, issue_14451)],
|
|
"views/materialized view/modify query:": [(Fail, issue_14674)],
|
|
"views/materialized view/modify query:/:": [(Fail, issue_14674)],
|
|
"views/materialized view/insert on source table privilege granted directly or via role/:": [
|
|
(Fail, issue_14810)
|
|
],
|
|
"privileges/alter ttl/table_type=:/user with some privileges": [
|
|
(Fail, issue_14566)
|
|
],
|
|
"privileges/alter ttl/table_type=:/role with some privileges": [
|
|
(Fail, issue_14566)
|
|
],
|
|
"privileges/alter ttl/table_type=:/user with privileges on cluster": [
|
|
(Fail, issue_14566)
|
|
],
|
|
"privileges/alter ttl/table_type=:/user with privileges from user with grant option": [
|
|
(Fail, issue_14566)
|
|
],
|
|
"privileges/alter ttl/table_type=:/user with privileges from role with grant option": [
|
|
(Fail, issue_14566)
|
|
],
|
|
"privileges/alter ttl/table_type=:/role with privileges from user with grant option": [
|
|
(Fail, issue_14566)
|
|
],
|
|
"privileges/alter ttl/table_type=:/role with privileges from role with grant option": [
|
|
(Fail, issue_14566)
|
|
],
|
|
"privileges/distributed table/:/special cases/insert with table on source table of materialized view:": [
|
|
(Fail, issue_14810)
|
|
],
|
|
"privileges/distributed table/cluster tests/cluster='sharded*": [
|
|
(Fail, issue_15165)
|
|
],
|
|
"privileges/distributed table/cluster tests/cluster=:/special cases/insert with table on source table of materialized view privilege granted directly or via role/:": [
|
|
(Fail, issue_14810)
|
|
],
|
|
"views/materialized view/select from implicit target table privilege granted directly or via role/select from implicit target table, privilege granted directly": [
|
|
(Fail, ".inner table is not created as expected")
|
|
],
|
|
"views/materialized view/insert on target table privilege granted directly or via role/insert on target table, privilege granted through a role": [
|
|
(Fail, ".inner table is not created as expected")
|
|
],
|
|
"views/materialized view/select from implicit target table privilege granted directly or via role/select from implicit target table, privilege granted through a role": [
|
|
(Fail, ".inner table is not created as expected")
|
|
],
|
|
"views/materialized view/insert on target table privilege granted directly or via role/insert on target table, privilege granted directly": [
|
|
(Fail, ".inner table is not created as expected")
|
|
],
|
|
"views/materialized view/select from source table privilege granted directly or via role/select from implicit target table, privilege granted directly": [
|
|
(Fail, ".inner table is not created as expected")
|
|
],
|
|
"views/materialized view/select from source table privilege granted directly or via role/select from implicit target table, privilege granted through a role": [
|
|
(Fail, ".inner table is not created as expected")
|
|
],
|
|
"privileges/alter move/:/:/:/:/move partition to implicit target table of a materialized view": [
|
|
(Fail, ".inner table is not created as expected")
|
|
],
|
|
"privileges/alter move/:/:/:/:/user without ALTER MOVE PARTITION privilege/": [
|
|
(Fail, issue_16403)
|
|
],
|
|
"privileges/alter move/:/:/:/:/user with revoked ALTER MOVE PARTITION privilege/": [
|
|
(Fail, issue_16403)
|
|
],
|
|
"privileges/create table/create with join query privilege granted directly or via role/:": [
|
|
(Fail, issue_17653)
|
|
],
|
|
"privileges/create table/create with join union subquery privilege granted directly or via role/:": [
|
|
(Fail, issue_17653)
|
|
],
|
|
"privileges/create table/create with nested tables privilege granted directly or via role/:": [
|
|
(Fail, issue_17653)
|
|
],
|
|
"privileges/kill mutation/no privilege/kill mutation on cluster": [
|
|
(Fail, issue_17146)
|
|
],
|
|
"privileges/kill query/privilege granted directly or via role/:/": [
|
|
(Fail, issue_17147)
|
|
],
|
|
"privileges/show dictionaries/:/check privilege/:/exists/EXISTS with privilege": [
|
|
(Fail, issue_17655)
|
|
],
|
|
"privileges/public tables/sensitive tables": [(Fail, issue_18110)],
|
|
"privileges/: row policy/nested live:": [(Fail, issue_21083)],
|
|
"privileges/: row policy/nested mat:": [(Fail, issue_21084)],
|
|
"privileges/show dictionaries/:/check privilege/check privilege=SHOW DICTIONARIES/show dict/SHOW DICTIONARIES with privilege": [
|
|
(Fail, "new bug")
|
|
],
|
|
"privileges/show dictionaries/:/check privilege/check privilege=CREATE DICTIONARY/show dict/SHOW DICTIONARIES with privilege": [
|
|
(Fail, "new bug")
|
|
],
|
|
"privileges/show dictionaries/:/check privilege/check privilege=DROP DICTIONARY/show dict/SHOW DICTIONARIES with privilege": [
|
|
(Fail, "new bug")
|
|
],
|
|
"privileges/kill mutation/:/:/KILL ALTER : without privilege": [
|
|
(Fail, issue_25413)
|
|
],
|
|
"privileges/kill mutation/:/:/KILL ALTER : with revoked privilege": [
|
|
(Fail, issue_25413)
|
|
],
|
|
"privileges/kill mutation/:/:/KILL ALTER : with revoked ALL privilege": [
|
|
(Fail, issue_25413)
|
|
],
|
|
"privileges/create table/create with subquery privilege granted directly or via role/create with subquery, privilege granted directly": [
|
|
(Fail, issue_26746)
|
|
],
|
|
"privileges/create table/create with subquery privilege granted directly or via role/create with subquery, privilege granted through a role": [
|
|
(Fail, issue_26746)
|
|
],
|
|
"views/live view/create with join subquery privilege granted directly or via role/create with join subquery, privilege granted directly": [
|
|
(Fail, issue_26746)
|
|
],
|
|
"views/live view/create with join subquery privilege granted directly or via role/create with join subquery, privilege granted through a role": [
|
|
(Fail, issue_26746)
|
|
],
|
|
}
|
|
|
|
xflags = {
|
|
"privileges/alter index/table_type='ReplicatedVersionedCollapsingMergeTree-sharded_cluster'/role with privileges from role with grant option/granted=:/I try to ALTER INDEX with given privileges/I check order by when privilege is granted": (
|
|
SKIP,
|
|
0,
|
|
)
|
|
}
|
|
|
|
ffails = {
|
|
"/clickhouse/rbac/privileges/:/table_type='ReplicatedReplacingMergeTree-sharded_cluster": (
|
|
Skip,
|
|
"Causes clickhouse timeout on 21.10",
|
|
(
|
|
lambda test: check_clickhouse_version(">=21.10")(test)
|
|
and check_clickhouse_version("<21.11")(test)
|
|
),
|
|
),
|
|
"/clickhouse/rbac/views": (
|
|
Skip,
|
|
"Does not work on clickhouse 21.09",
|
|
(
|
|
lambda test: check_clickhouse_version(">=21.9")(test)
|
|
and check_clickhouse_version("<21.10")(test)
|
|
),
|
|
),
|
|
}
|
|
|
|
|
|
@TestModule
|
|
@ArgumentParser(argparser)
|
|
@XFails(xfails)
|
|
@XFlags(xflags)
|
|
@FFails(ffails)
|
|
@Name("rbac")
|
|
@Specifications(SRS_006_ClickHouse_Role_Based_Access_Control)
|
|
def regression(
|
|
self, local, clickhouse_binary_path, clickhouse_version=None, stress=None
|
|
):
|
|
"""RBAC regression."""
|
|
nodes = {"clickhouse": ("clickhouse1", "clickhouse2", "clickhouse3")}
|
|
|
|
self.context.clickhouse_version = clickhouse_version
|
|
|
|
if stress is not None:
|
|
self.context.stress = stress
|
|
|
|
from platform import processor as current_cpu
|
|
|
|
folder_name = os.path.basename(current_dir())
|
|
if current_cpu() == "aarch64":
|
|
env = f"{folder_name}_env_arm64"
|
|
else:
|
|
env = f"{folder_name}_env"
|
|
|
|
with Cluster(
|
|
local,
|
|
clickhouse_binary_path,
|
|
nodes=nodes,
|
|
docker_compose_project_dir=os.path.join(current_dir(), env),
|
|
) as cluster:
|
|
self.context.cluster = cluster
|
|
|
|
Feature(run=load("rbac.tests.syntax.feature", "feature"))
|
|
Feature(run=load("rbac.tests.privileges.feature", "feature"))
|
|
Feature(run=load("rbac.tests.views.feature", "feature"))
|
|
|
|
|
|
if main():
|
|
regression()
|